AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk rex mode sed11/18/2023 ![]() Use the rex command to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. ![]() ![]() Use the regex command to remove results that match or do not match the specified regular expression. The above works perfectly if I use a delimiter such as a space character or ", ", but I really want to have a newline there. The difference between the regex and rex commands. I have a multi-valued field that contains many long text strings, I'm reporting on the permutations that exist in the text strings, and want to do something like this: mysearch | eval p=mvjoin(myMvField,"") | stats dc(p) AS "Permutation Count" values(p) AS "Permutations" When I run the search manually and export the results as CSV. I tried using is rex fieldmessageid modesed 's/< > //g' but no substitution occurs. The XML of the dashboard is included in the results so that I can drop it into TFS. I'm trying to used rex modesed to replace < & > with nothing (effectively removing the brackets), so that field can be later used in a deduplication process (outside Splunk).I have an alert that pulls back any updated dashboards every day and sends me an email with the attached CSV file. This might be a silly question, but has anyone figured out how to add line breaks to text that has been evaluated with eval? I'm looking to do something like what you get if you pipe to stats with a values(fieldName) aggregator, where each value of the field is listed, line by line, as part of a single event in a table. You could try rex modesed 's/ //g' to remove but if might not work every time.
0 Comments
Read More
Leave a Reply. |